0

I'm studying for CKA certification and I'm analyzing Admission Control Flow. I have seen official k8s docs about it and I don't see any reference about when schema validation happens. When is checked if I put v49 instead v1 in apiVersion field or similar?

I have seen other sources about it , for example this , but I don't understand where this information came from since in the official docs isn't presented.

Instead in other section of k8s official docs, you can see here, it's reported the following sentence:

Because the OpenAPI validation schemas are also published to clients, kubectl also checks for unknown fields and rejects those objects well before they would be sent to the API server.

But how is possible that kubectl client know all schemas for resources? I could install many CRDs throughout time without update kubectl cli.

I'm a bit confused.

Improve this question

2 Answers 2

Reset to default
1

But how is possible that kubectl client know all schemas for resources? I could install many CRDs throughout time without update kubectl cli.

k8s has 2 parts.. first - it has it's in-build schema for std objects, you even can download it if you have a working cluster (make sure your kubeconfig is correct):

kubectl proxy --port=8080 &
curl http://127.0.0.1:8080/openapi/v2 > k8s_openapi_schema.json

and you also can list and download all CRDs, each of them will also have openAPI scheme.

it's possible to get that data and validate your resources. https://github.com/yannh/kubeconform?tab=readme-ov-file#limits-of-kubeconform-validation is a good example of how to do this

the only thing is - there are some extra checks that k8s does outside of checks based on openAPI. this link above provides a bit more info

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you. So all resources schema are validated by kubectl client ?
The verification happens on both sides in case of kubectl. Server checks resources - I guess it's not safe to verify it only on a client side, because there are other implementations which can talk via API. but kubectl is a manual tool and it's a good idea to verify resources before sending them to the server. Also when I played wtih kubeval some time ago and compared it with k8s verification itself I found k8s was more 'forgiving' . at least that was couple of years ago that way - I read that k8s has slightly more tricky/heruistic ways of checking resoruces -> different results
And in the case of Admission Control Flow, where this check is performed by API Server?
1

The Kubernetes API server performs schema validation early in the request processing pipeline, specifically during the API request validation phase, which occurs before the Admission Control phase. If schema validation passes, the request proceeds to the admission control phase, where admission controllers such as ValidatingAdmissionWebhook , MutatingAdmissionWebhook etc., apply additional checks.

Because the OpenAPI validation schemas are also published to clients, kubectl also checks for unknown fields and rejects those objects well before they would be sent to the API server.

This refers to kubectl can perform client-side validation by using OpenAPI schemas obtained from the Kubernetes API server.  When you run kubectl, it communicates with the Kubernetes API server to fetch the OpenAPI schema it defines the structure of all API resources, including their apiVersion or kind. Before sending a request example kubectl apply -f my-pod.yaml, kubectl validates the YAML/JSON manifest against the fetched OpenAPI schema. If you specify an invalid apiVersion, kubectl will reject the request locally.

Refer to OpenAPI specification, API Overview and How Kubernetes Validates Custom Resources for additional information.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.